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SIMPLE SOLUTION 



DATA REDUCTION OF SIGNATURE TO STRING S 
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LOOKUP S IN SIGNATURE TABLE 



r 31 5 



IF S IS NOT TABLE ADD ENTRY 
FOR S WITH COUNT 0 
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INCREMENT COUNTER FOR S 
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IF COUNTER FOR S IS GREATER 
THAN FREQTHRESHOLD THEN 
ADD S TO FREQCONTENTTABLE 



^ 300 ^330 
SCALABLE SOLUTION 



FIG. 3 
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OPTIONALLY USE A 
BLOOM FILTER OR A COUNTING BLOOM 
FILTER (REF 13) TO REMOVE CONTENT 

WITH SMALL (E.G., I) 

REPETITION COUNT) 
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FOR EACH STAGE I (OF K STAGES) DO 

HASH S USING 
HASH FUNCTION I TO GET POSITION KQJ 
INCREMENT COUNTER IN POSITION K[IJ OF 
STAGE I TABLE 
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IF ALL K STAGE COUNTERS 
HASHED INTO ARE GREATER 
THAN STAGEFREQTHRESHOLD ADD 
S TO FREQCONTENTTABLE 
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GENERAL SIGNATURE = ANY SUBSET 
OF TCP PAYLOAD AND HEADER 



PAYLOAD SIGNATURE = TCP 
PAYLOAD + TCP DESTINATIONPORT 
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OFFSET SIGNATURE = ANY CONTINUOUS 
PORTIONS IN PAYLOAD + TCP DESTINATIONPORT 
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MULTI SIGNATURE = ONE OR MORE CONTINUOUS 
PORTIONS OF PAYLOAD + TCP DESTINATION PORT 
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WHEN STRING S IS ADDED TO FREQ CONTENT TABLE 



INITIALIZE SCURCEBITMAP AND DSTBITMAP TO ZEROES 
AND SOURCESCALE TO 
S THRESBTTS AND DESTSCALE TO DTHRESH BITS 



FIG. 6 A 



5, of iO (Replacement Sheet) 
DETECTING PUBLIC NETWORK ATTACKS USING SIGNATURES AND FAST CONTENT ANALYSIS 

George Varghese et al. 
10/822,226 
15670-075001 



5/10 



FORM N BIT 
COUNTING ARRAY 



629 




HASH SOURCE DO 
F0RMSHASH 
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SET BIT AT BIT 
POSITION CORRESPONDING 
TO SHASH 
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RESET 
SET BITS 
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WHEN PROCESSING A PACKET WITH HASHED SIGNATURE S 



LOOKUP ENTRY FOR 
S IN FREO CONTENT TABLE, 
SKIP REMAINING STEPS IF NOT FOUND 



HASH SOURCE IP ADDRESS 
OFPACKETTOA W BIT NUMBER SHASH 

LET r BE THE NUMBER OF BITS IN 
SOURCEBITMAP CORRESPONDING TO S 
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IF ALL BITS IN SHASH FROM POSITIONS 
r+ 1 THROUGH r+SOURCESCALE ARE ALL 0 THEN 
SET POSITION X IN SOURCEBITMAP TO 1 
WHERE X IS LOW ORDER T BITS OF SHASH 



HASH DESTINATION IP ADDRESS OF PACKET 
TO AW BIT NUMBER DHASH 
LET T BE THE NUMBER OF BITS IN DESTBITMAP 
CORRESPONDING TO S 



IF ALL BITS IN DHASH FROM POSITIONS r+ 1 
THROUGH 
T+DESTSCALEAREALL 0 THAN 
SET POSITION y IN DESTBITMAP TO 
1 WHERE y IS LOW ORDER r BITS OF DHASH 
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SCALE UP 
BY SCALE-FACTOR 
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FIG. 6C 
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TEST FOR CONTENT THAT SCANS 
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IF SOURCE ADDRESS OF PACKET CONTAINING 
SUSPICIOUS SIGNATURE S IS IN BLACKLIST 
HASH SOURCE ADDRESS INTO 
A POSITIONS 
SET POSITION S IN SPREADBITMAP 
CORRESPONDING TO S IN SUSPICION TABLE 
INCREMENT UNUSEDPROBES CORRESPONDING TO S 
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IF NUMBER OF BITS SET IN SPREADBITMAP > SPREADTHRESH1 
AND UNUSEDPROBES > SCANTHRESH2 THEN 
REPORT SCAN (S) AS TRUE; 



FIG. 7 



PACKET CODE TEST 
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FOR EVERY OFFSET 0 FROM 0-TO PACKETLENGTH - N RUN THE CODE TEST 
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IF T OFFSET PASS THE OFFSETCODETEST REPORT POSITIVE 

FIG. 8A 



OFFSET CODE TEST AT OFFSET 0 FOR LENGTH N 



LENGTH TESTED=0 
i 



REPEAT UNTIL LENGTH > N 



LOOKUP BYTE AT OFFSET 
0+ LENGTH IN OPCODETABLE(S) 



IF OPCODETABLE SAYS INVALID 
REPORT "CODE TEST FAILED" AND EXIT 



IF OPCODETABLE ENTRY IS VALID INCREMENT 
LENGTHTESTED BY OP CODE TABLE ENTRY LENGTH VALUE 
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FIG. 8B 



«8iMff$*9f W (Replacement Sheet) 
DETECTING PUBLIC NETWORK ATTACKS USING SIGNATURES AND FAST CONTENT ANALYSIS 

George Varghese et al. 
10/822,226 
15670-075001 



9/10 

WHEN STRING S IS ADDED TO FREQCONTENTTABLE 
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INITIALIZE SOURCECORBIT MAP AND DSTCORBITMAP TO ZEROES 



WHEN PROCESSING A PACKET WITH HASHED SIGNATURE S 
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LOOKUP ENTRY FOR S IN FREQCONTENTTABLE, 
SKIP REMAINING STEPS IF NOT FOUND 
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HASH SOURCE IP ADDRESS OF PACKET TO AW BIT NUMBER SHASH 
LET r BE THE NUMBER OF BITS IN SOURCECORBITMAP CORRESPONDING TO S 
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IF ALL BITS IN SHASH FROM POSITIONS 
r+ 1 AND HIGHER ARE ALL 0 THEN 
SET POSITION X IN SOURCECORBITMAP TO 1 
WHERE X IS LOW ORDER r BITS OF SHASH 
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HASH DESTINATION IP ADDRESS OF 
PACKETTOA W BIT NUMBER DHASH 
LET T BE THE NUMBER OF BITS IN 
DESTCOBTTMAP CORRESPONDING TO S 



930\ 



IF ALL BITS IN D HASH FORM POSITIONS 

r+ 1 AND HIGHER ARE ALL 0 THEN 
SET POSITION y IN DESTCORBTTMAP TO 
1 WHERE y IS LOW ORDER r BITS OF DHASH 
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IF THE NUMBER OF COMMON BIT POSITIONS IN 

SRCCORBTTMAP FOR THIS INTERVAL 
AND THE DSTCORBITMAP FOR LAST INTERVAL 
IS > CORTHRESHOLD, THEN S PASSES THE 
CORRELATION TEST 



AT END OF INTERVAL FOR EVERY SUSPICIOUS SIGNATURE S 

940^ 1 



LOG SRCCORBTTMAP AND DSTCORBITMAP 
INITIALIZE SOURCECORBITMAP AND DSTCORBITMAP TO ZEROES 
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IF SIGNATURE S PASSES A BAYESIAN SPAM TEST THEN 
REPORT THAT S PASSES THE SPAM TEST 
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INLINE CONFIGURATION 
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FIG. 11B 



